Data has become the fuel that drives major portions of the modern economy, and many tech companies depend on that fuel. But the increased importance has made these troves of data more attractive targets to hackers and other bad actors. With the current trend toward digital transformation and the importance of data in machine learning, sensitive information increasingly resides on third-party cloud servers, introducing additional security risks. Even locally stored data could be at risk—including potential breaches or careless or malicious employees. Any breach of data, whether locally or at the cloud level, can cause significant disruption to business operations.

Beyond the direct business impact of data security breaches, regulators are also taking a sharper look when it comes to business' data liability. Data security, or lack thereof, poses a direct risk to consumer privacy, as it subverts the purpose for which personal information was disclosed and subjects the consumer to loss of privacy, financial harm, falling victim to scams, and other potential negative consequences.

In January 2020, California became the first state to enact consumer privacy regulation (i.e., the CCPA) that imposed a statutory obligation on businesses to maintain reasonable security procedures and practices to protect consumer personal information from unauthorized use and disclosure. This year, both Virginia and Colorado have passed their own version of a consumer privacy regulation that also impose a statutory obligation of data security. Under California law, businesses may face penalties of up to $7,500 per violation (which, if applied to a data breach involving many data subjects, could be devastating). Typically violations can only be prosecuted by the California attorney general, but in the event of a data breach, consumers have a private right of action to bring claims against a business, for which damages can range between $100 to $750 per consumer per incident.